FIDP-04

Do you employ host-based intrusion detection?

Explanation

This question is asking whether your organization uses host-based intrusion detection systems (HIDS) on your servers, workstations, or other computing devices. A host-based intrusion detection system is security software installed directly on individual devices (the 'hosts') that monitors and analyzes activities occurring within that specific system for suspicious behavior or policy violations. Unlike network-based intrusion detection systems that monitor traffic between devices, HIDS focuses on activities happening on the individual machine itself. HIDS typically monitors system logs, file integrity, registry changes, process activities, and other host-specific events to detect potential security incidents. Common HIDS solutions include tools like OSSEC, Wazuh, CrowdStrike Falcon, or endpoint detection and response (EDR) solutions that include HIDS functionality. This question is being asked in a security assessment because: 1. HIDS provides an important layer of defense by detecting attacks that may have bypassed perimeter defenses 2. It helps identify insider threats and malicious activities occurring directly on systems 3. It can detect changes to critical system files that might indicate a compromise 4. It's considered a security best practice and may be required by various compliance frameworks When answering this question, you should: 1. Clearly state whether you do or do not employ HIDS 2. If you do, specify which HIDS solution(s) you use 3. Mention which systems are covered (all endpoints, only servers, etc.) 4. Briefly explain how alerts are monitored and responded to 5. If you don't use HIDS, explain what compensating controls you have in place

Example Responses

Example Response 1

Yes, we employ host-based intrusion detection across our environment We use CrowdStrike Falcon EDR on all corporate workstations and servers, which provides real-time monitoring of system activities, file integrity monitoring, and behavioral analysis to detect potential intrusions The solution is centrally managed, with alerts routed to our 24/7 Security Operations Center (SOC) for triage and response according to our incident response procedures We also use OSSEC for additional file integrity monitoring on our critical infrastructure servers All HIDS logs are forwarded to our SIEM platform for correlation with other security events and long-term storage.

Example Response 2

Yes, we implement host-based intrusion detection using Microsoft Defender for Endpoint across our Windows-based environment and Wazuh for our Linux servers These solutions monitor for suspicious activities, unauthorized changes to critical system files, and potential malware execution Our HIDS deployment covers 100% of our production servers and corporate workstations The system is configured to generate alerts for suspicious activities, which are sent to our security team via our incident management platform We review HIDS policies quarterly and update detection rules based on emerging threats and our own threat intelligence.

Example Response 3

No, we currently do not employ a dedicated host-based intrusion detection system Instead, we rely on a defense-in-depth approach that includes network-based intrusion detection systems, next-generation firewalls with deep packet inspection, and endpoint protection platforms with anti-malware capabilities on all systems We recognize the value of HIDS and have included its implementation in our security roadmap for the next fiscal quarter In the meantime, we compensate for this gap through enhanced network monitoring, regular vulnerability scanning, and comprehensive system logging that feeds into our centralized log management solution.

Context

Tab: Infrastructure
Category: Firewalls, IDS, IPS, and Networking